EPCS Third party audits the CPA perspective 13 September 2012
Agenda Introduction History Report review Audit process Moving forward
Introduction
1311.300 Application provider requirements Third-party audits or certifications. (a) Except as provided in paragraph (e) of this section, the application provider of an electronic prescription application or a pharmacy application must have a third-party audit of the application that determines that the application meets the requirements of this part at each of the following times: (1) Before the application may be used to create, sign, transmit, or process controlled substance prescriptions. (2) Whenever a functionality related to controlled substance prescription requirements is altered or every two years, whichever occurs first. (b) The third-party audit must be conducted by one of the following: (1) A person qualified to conduct a SysTrust, WebTrust, or SAS 70 audit. (2) A Certified Information System Auditor who performs compliance audits as a regular ongoing business activity. (c) An audit for installed applications must address processing integrity and determine that the application meets the requirements of this part. (d) An audit for application service providers must address processing integrity and physical security and determine that the application meets the requirements of this part.
Personal Background Chris Halterman, Executive Director, Ernst & Young Advisory Services Chair American Institute of Certified Public Accountants (AICPA) Trust/Data Integrity Task Force 24 years performing audits in the healthcare industry Chaired AICPA efforts to address EPCS reporting
And now terminology Criteria--are the standards or benchmarks used to measure and present the subject matter and against which the practitioner evaluates the subject matter. Trust Services criteria a set of criteria used to evaluate internal control of a System as it relates to security, availability, processing integrity, confidentiality and privacy SysTrust SM and WebTrust SM Reports accounts audit reports that use the trust services criteria to evaluate systems and e-commerce systems, respectively. SAS 70 Report an audit on controls relevant to user entities internal control over financial reporting. Replace by a Service Organization Control 1 report (often referred to as a SOC 1 or SSAE 16 report) A person qualified to conduct a SysTrust, WebTrust, or SAS 70 audit a Certified Public Accountant licensed by the state board of accountancy of the state in which the report is to be issued Certified Information System Auditor (CISA) a person who has passed the CISA exam and meets the education requirements established by ISACA (formerly, the Information Systems Audit and Control Association)
Goals Understand what is required Understand how the requirements were established Understand what it means for your organization Identify developing issues
AICPA Operation Model for New Reports Understand the needs of the users Identify the criteria to be used Evaluate the criteria for suitability Draft a model report Provide guidance to CPAs
History
Events to date AICPA become aware of interim final rule Responsibility assigned to Trust/Data Integrity Task Force Working group created to understand the requirements of the Rule Interaction with industry leaders Draft report created/sent to DEA Comments received from DEA Changes made in response to DEA comments Revised report submitted to DEA Guidance published by AICPA
Analysis of requirements a third-party audit of the application that determines that the application meets the requirements of this part Identification of the requirements Evaluation of the requirements to meet the definition of suitable criteria The third-party audit must be conducted by one of the following: (1) A person qualified to conduct a SysTrust, WebTrust, or SAS 70 audit. note that the Rule does not require the report to conform to one of these 3 types. Gave the AICPA the flexibility needed to develop a report that met the DEA requirements
Analysis of requirements (continued) An audit for installed applications must address processing integrity and determine that the application meets the requirements of this part. Relationship of an installed application to a system to evaluate processing integrity Concept of processing integrity (d) An audit for application service providers must address processing integrity and physical security and determine that the application meets the requirements of this part. Implications of application as a service Consideration of processing integrity and physical security
Report review
AICPA illustrative reports high level review http://www.aicpa.org/interestareas/frc/auditatt est/reporting/downloadabledocuments/dea_re ports.pdf
Criteria All software Rule requirements Installed software and application service providers Trust Services criteria relevant to processing integrity and security Policies Communication Risk assessment Logical access Application development Controls over input, processing and output Monitoring
Audit process
Steps in the audit Defining the system Testing date/period Testing environment Processing integrity and security Engagement agreement Information requests Resolution of testing issues Reporting
Controlling costs Auditor costs Joint project management Personnel availability Recordkeeping Issue resolution Turn-around time Internal costs Time commitment of key personnel Delays Miscommunication/misinformation
Tips for working with auditors Organization of requested information Understanding Responsiveness Others?
Moving forward
Challenges When to start testing Rate of adoption Other healthcare system spending priorities Retesting issue
Special thanks to Steve Kelleher for his guidance and assistance
Questions?
Contact information Chris Halterman Ernst & Young LLP 801 Grand Avenue, Suite 3000 Des Moines, Iowa 50309 +1 515 362 7026 Chris.Halterman@ey.com